CWE

Common Weakness Enumeration

A Community-Developed Dictionary of Software Weakness Types

CWE/SANS Top 25 Most Dangerous Software Errors Common Weakness Scoring System
Common Weakness Risk Analysis Framework
Home > CWE List > CWE- Individual Dictionary Definition (2.7)  

Presentation Filter:

CWE-896: SFP Cluster: Tainted Input

 
SFP Cluster: Tainted Input
Category ID: 896 (Category)Status: Incomplete
+ Description

Description Summary

This category identifies Software Fault Patterns (SFPs) within the Tainted Input cluster.
+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ParentOfWeakness BaseWeakness Base15External Control of System or Configuration Setting
Software Fault Pattern (SFP) Clusters (primary)888
ParentOfWeakness ClassWeakness Class20Improper Input Validation
Software Fault Pattern (SFP) Clusters (primary)888
ParentOfWeakness ClassWeakness Class74Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
Software Fault Pattern (SFP) Clusters (primary)888
ParentOfWeakness ClassWeakness Class75Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)
Software Fault Pattern (SFP) Clusters (primary)888
ParentOfWeakness BaseWeakness Base76Improper Neutralization of Equivalent Special Elements
Software Fault Pattern (SFP) Clusters (primary)888
ParentOfWeakness ClassWeakness Class77Improper Neutralization of Special Elements used in a Command ('Command Injection')
Software Fault Pattern (SFP) Clusters (primary)888
ParentOfWeakness BaseWeakness Base78Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Software Fault Pattern (SFP) Clusters (primary)888
ParentOfWeakness BaseWeakness Base79Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Software Fault Pattern (SFP) Clusters (primary)888
ParentOfWeakness VariantWeakness Variant80Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
Software Fault Pattern (SFP) Clusters (primary)888
ParentOfWeakness VariantWeakness Variant81Improper Neutralization of Script in an Error Message Web Page
Software Fault Pattern (SFP) Clusters (primary)888
ParentOfWeakness VariantWeakness Variant82Improper Neutralization of Script in Attributes of IMG Tags in a Web Page
Software Fault Pattern (SFP) Clusters (primary)888
ParentOfWeakness VariantWeakness Variant83Improper Neutralization of Script in Attributes in a Web Page
Software Fault Pattern (SFP) Clusters (primary)888
ParentOfWeakness VariantWeakness Variant84Improper Neutralization of Encoded URI Schemes in a Web Page
Software Fault Pattern (SFP) Clusters (primary)888
ParentOfWeakness VariantWeakness Variant85Doubled Character XSS Manipulations
Software Fault Pattern (SFP) Clusters (primary)888
ParentOfWeakness VariantWeakness Variant86Improper Neutralization of Invalid Characters in Identifiers in Web Pages
Software Fault Pattern (SFP) Clusters (primary)888
ParentOfWeakness VariantWeakness Variant87Improper Neutralization of Alternate XSS Syntax
Software Fault Pattern (SFP) Clusters (primary)888
ParentOfWeakness BaseWeakness Base88Argument Injection or Modification
Software Fault Pattern (SFP) Clusters (primary)888
ParentOfWeakness BaseWeakness Base89Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Software Fault Pattern (SFP) Clusters (primary)888
ParentOfWeakness BaseWeakness Base90Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')
Software Fault Pattern (SFP) Clusters (primary)888
ParentOfWeakness BaseWeakness Base91XML Injection (aka Blind XPath Injection)
Software Fault Pattern (SFP) Clusters (primary)888
ParentOfWeakness BaseWeakness Base93Improper Neutralization of CRLF Sequences ('CRLF Injection')
Software Fault Pattern (SFP) Clusters (primary)888
ParentOfWeakness ClassWeakness Class94Improper Control of Generation of Code ('Code Injection')
Software Fault Pattern (SFP) Clusters (primary)888
ParentOfWeakness BaseWeakness Base95Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
Software Fault Pattern (SFP) Clusters (primary)888
ParentOfWeakness BaseWeakness Base96Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')
Software Fault Pattern (SFP) Clusters (primary)888
ParentOfWeakness VariantWeakness Variant97Improper Neutralization of Server-Side Includes (SSI) Within a Web Page
Software Fault Pattern (SFP) Clusters (primary)888
ParentOfWeakness BaseWeakness Base99Improper Control of Resource Identifiers ('Resource Injection')
Software Fault Pattern (SFP) Clusters (primary)888
ParentOfCategoryCategory100Technology-Specific Input Validation Problems
Software Fault Pattern (SFP) Clusters (primary)888
ParentOfWeakness VariantWeakness Variant102Struts: Duplicate Validation Forms
Software Fault Pattern (SFP) Clusters (primary)888
ParentOfWeakness VariantWeakness Variant103Struts: Incomplete validate() Method Definition
Software Fault Pattern (SFP) Clusters (primary)888
ParentOfWeakness VariantWeakness Variant104Struts: Form Bean Does Not Extend Validation Class
Software Fault Pattern (SFP) Clusters (primary)888
ParentOfWeakness VariantWeakness Variant105Struts: Form Field Without Validator
Software Fault Pattern (SFP) Clusters (primary)888
ParentOfWeakness VariantWeakness Variant106Struts: Plug-in Framework not in Use
Software Fault Pattern (SFP) Clusters (primary)888
ParentOfWeakness VariantWeakness Variant107Struts: Unused Validation Form
Software Fault Pattern (SFP) Clusters (primary)888
ParentOfWeakness VariantWeakness Variant108Struts: Unvalidated Action Form
Software Fault Pattern (SFP) Clusters (primary)888
ParentOfWeakness VariantWeakness Variant109Struts: Validator Turned Off
Software Fault Pattern (SFP) Clusters (primary)888
ParentOfWeakness VariantWeakness Variant110Struts: Validator Without Form Field
Software Fault Pattern (SFP) Clusters (primary)888
ParentOfWeakness BaseWeakness Base112Missing XML Validation
Software Fault Pattern (SFP) Clusters (primary)888
ParentOfWeakness BaseWeakness Base113Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')
Software Fault Pattern (SFP) Clusters (primary)888
ParentOfWeakness BaseWeakness Base114Process Control
Software Fault Pattern (SFP) Clusters (primary)888
ParentOfWeakness ClassWeakness Class116Improper Encoding or Escaping of Output
Software Fault Pattern (SFP) Clusters (primary)888
ParentOfWeakness VariantWeakness Variant130Improper Handling of Length Parameter Inconsistency
Software Fault Pattern (SFP) Clusters (primary)888
ParentOfWeakness BaseWeakness Base134Uncontrolled Format String
Software Fault Pattern (SFP) Clusters (primary)888
ParentOfWeakness ClassWeakness Class138Improper Neutralization of Special Elements
Software Fault Pattern (SFP) Clusters (primary)888
ParentOfWeakness BaseWeakness Base140Improper Neutralization of Delimiters
Software Fault Pattern (SFP) Clusters (primary)888
ParentOfWeakness VariantWeakness Variant141Improper Neutralization of Parameter/Argument Delimiters
Software Fault Pattern (SFP) Clusters (primary)888
ParentOfWeakness VariantWeakness Variant142Improper Neutralization of Value Delimiters
Software Fault Pattern (SFP) Clusters (primary)888
ParentOfWeakness VariantWeakness Variant143Improper Neutralization of Record Delimiters
Software Fault Pattern (SFP) Clusters (primary)888
ParentOfWeakness VariantWeakness Variant144Improper Neutralization of Line Delimiters
Software Fault Pattern (SFP) Clusters (primary)888
ParentOfWeakness VariantWeakness Variant145Improper Neutralization of Section Delimiters
Software Fault Pattern (SFP) Clusters (primary)888
ParentOfWeakness VariantWeakness Variant146Improper Neutralization of Expression/Command Delimiters
Software Fault Pattern (SFP) Clusters (primary)888
ParentOfWeakness VariantWeakness Variant147Improper Neutralization of Input Terminators
Software Fault Pattern (SFP) Clusters (primary)888
ParentOfWeakness VariantWeakness Variant148Improper Neutralization of Input Leaders
Software Fault Pattern (SFP) Clusters (primary)888
ParentOfWeakness VariantWeakness Variant149Improper Neutralization of Quoting Syntax
Software Fault Pattern (SFP) Clusters (primary)888
ParentOfWeakness VariantWeakness Variant150Improper Neutralization of Escape, Meta, or Control Sequences
Software Fault Pattern (SFP) Clusters (primary)888
ParentOfWeakness VariantWeakness Variant151Improper Neutralization of Comment Delimiters
Software Fault Pattern (SFP) Clusters (primary)888
ParentOfWeakness VariantWeakness Variant152Improper Neutralization of Macro Symbols
Software Fault Pattern (SFP) Clusters (primary)888
ParentOfWeakness VariantWeakness Variant153Improper Neutralization of Substitution Characters
Software Fault Pattern (SFP) Clusters (primary)888
ParentOfWeakness VariantWeakness Variant154Improper Neutralization of Variable Name Delimiters
Software Fault Pattern (SFP) Clusters (primary)888
ParentOfWeakness VariantWeakness Variant155Improper Neutralization of Wildcards or Matching Symbols
Software Fault Pattern (SFP) Clusters (primary)888
ParentOfWeakness VariantWeakness Variant156Improper Neutralization of Whitespace
Software Fault Pattern (SFP) Clusters (primary)888
ParentOfWeakness VariantWeakness Variant157Failure to Sanitize Paired Delimiters
Software Fault Pattern (SFP) Clusters (primary)888
ParentOfWeakness VariantWeakness Variant158Improper Neutralization of Null Byte or NUL Character
Software Fault Pattern (SFP) Clusters (primary)888
ParentOfWeakness ClassWeakness Class159Failure to Sanitize Special Element
Software Fault Pattern (SFP) Clusters (primary)888
ParentOfWeakness VariantWeakness Variant160Improper Neutralization of Leading Special Elements
Software Fault Pattern (SFP) Clusters (primary)888
ParentOfWeakness VariantWeakness Variant161Improper Neutralization of Multiple Leading Special Elements
Software Fault Pattern (SFP) Clusters (primary)888
ParentOfWeakness VariantWeakness Variant162Improper Neutralization of Trailing Special Elements
Software Fault Pattern (SFP) Clusters (primary)888
ParentOfWeakness VariantWeakness Variant163Improper Neutralization of Multiple Trailing Special Elements
Software Fault Pattern (SFP) Clusters (primary)888
ParentOfWeakness VariantWeakness Variant164Improper Neutralization of Internal Special Elements
Software Fault Pattern (SFP) Clusters (primary)888
ParentOfWeakness VariantWeakness Variant165Improper Neutralization of Multiple Internal Special Elements
Software Fault Pattern (SFP) Clusters (primary)888
ParentOfWeakness BaseWeakness Base166Improper Handling of Missing Special Element
Software Fault Pattern (SFP) Clusters (primary)888
ParentOfWeakness BaseWeakness Base167Improper Handling of Additional Special Element
Software Fault Pattern (SFP) Clusters (primary)888
ParentOfWeakness BaseWeakness Base168Improper Handling of Inconsistent Special Elements
Software Fault Pattern (SFP) Clusters (primary)888
ParentOfWeakness ClassWeakness Class172Encoding Error
Software Fault Pattern (SFP) Clusters (primary)888
ParentOfWeakness VariantWeakness Variant173Improper Handling of Alternate Encoding
Software Fault Pattern (SFP) Clusters (primary)888
ParentOfWeakness VariantWeakness Variant174Double Decoding of the Same Data
Software Fault Pattern (SFP) Clusters (primary)888
ParentOfWeakness VariantWeakness Variant175Improper Handling of Mixed Encoding
Software Fault Pattern (SFP) Clusters (primary)888
ParentOfWeakness VariantWeakness Variant176Improper Handling of Unicode Encoding
Software Fault Pattern (SFP) Clusters (primary)888
ParentOfWeakness VariantWeakness Variant177Improper Handling of URL Encoding (Hex Encoding)
Software Fault Pattern (SFP) Clusters (primary)888
ParentOfWeakness BaseWeakness Base178Improper Handling of Case Sensitivity
Software Fault Pattern (SFP) Clusters (primary)888
ParentOfWeakness BaseWeakness Base179Incorrect Behavior Order: Early Validation
Software Fault Pattern (SFP) Clusters (primary)888
ParentOfWeakness BaseWeakness Base180Incorrect Behavior Order: Validate Before Canonicalize
Software Fault Pattern (SFP) Clusters (primary)888
ParentOfWeakness BaseWeakness Base181Incorrect Behavior Order: Validate Before Filter
Software Fault Pattern (SFP) Clusters (primary)888
ParentOfWeakness BaseWeakness Base182Collapse of Data into Unsafe Value
Software Fault Pattern (SFP) Clusters (primary)888
ParentOfWeakness BaseWeakness Base183Permissive Whitelist
Software Fault Pattern (SFP) Clusters (primary)888
ParentOfWeakness BaseWeakness Base184Incomplete Blacklist
Software Fault Pattern (SFP) Clusters (primary)888
ParentOfWeakness ClassWeakness Class185Incorrect Regular Expression
Software Fault Pattern (SFP) Clusters (primary)888
ParentOfWeakness BaseWeakness Base186Overly Restrictive Regular Expression
Software Fault Pattern (SFP) Clusters (primary)888
ParentOfWeakness BaseWeakness Base198Use of Incorrect Byte Ordering
Software Fault Pattern (SFP) Clusters (primary)888
ParentOfWeakness ClassWeakness Class228Improper Handling of Syntactically Invalid Structure
Software Fault Pattern (SFP) Clusters (primary)888
ParentOfWeakness BaseWeakness Base229Improper Handling of Values
Software Fault Pattern (SFP) Clusters (primary)888
ParentOfWeakness VariantWeakness Variant230Improper Handling of Missing Values
Software Fault Pattern (SFP) Clusters (primary)888
ParentOfWeakness VariantWeakness Variant231Improper Handling of Extra Values
Software Fault Pattern (SFP) Clusters (primary)888
ParentOfWeakness VariantWeakness Variant232Improper Handling of Undefined Values
Software Fault Pattern (SFP) Clusters (primary)888
ParentOfWeakness BaseWeakness Base233Improper Handling of Parameters
Software Fault Pattern (SFP) Clusters (primary)888
ParentOfWeakness VariantWeakness Variant234Failure to Handle Missing Parameter
Software Fault Pattern (SFP) Clusters (primary)888
ParentOfWeakness VariantWeakness Variant235Improper Handling of Extra Parameters
Software Fault Pattern (SFP) Clusters (primary)888
ParentOfWeakness VariantWeakness Variant236Improper Handling of Undefined Parameters
Software Fault Pattern (SFP) Clusters (primary)888
ParentOfWeakness BaseWeakness Base237Improper Handling of Structural Elements
Software Fault Pattern (SFP) Clusters (primary)888
ParentOfWeakness VariantWeakness Variant238Improper Handling of Incomplete Structural Elements
Software Fault Pattern (SFP) Clusters (primary)888
ParentOfWeakness VariantWeakness Variant239Failure to Handle Incomplete Element
Software Fault Pattern (SFP) Clusters (primary)888
ParentOfWeakness VariantWeakness Variant240Improper Handling of Inconsistent Structural Elements
Software Fault Pattern (SFP) Clusters (primary)888
ParentOfWeakness BaseWeakness Base241Improper Handling of Unexpected Data Type
Software Fault Pattern (SFP) Clusters (primary)888
ParentOfWeakness BaseWeakness Base351Insufficient Type Distinction
Software Fault Pattern (SFP) Clusters (primary)888
ParentOfWeakness BaseWeakness Base354Improper Validation of Integrity Check Value
Software Fault Pattern (SFP) Clusters (primary)888
ParentOfWeakness BaseWeakness Base427Uncontrolled Search Path Element
Software Fault Pattern (SFP) Clusters (primary)888
ParentOfWeakness BaseWeakness Base444Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
Software Fault Pattern (SFP) Clusters (primary)888
ParentOfWeakness BaseWeakness Base454External Initialization of Trusted Variables or Data Stores
Software Fault Pattern (SFP) Clusters (primary)888
ParentOfWeakness BaseWeakness Base470Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')
Software Fault Pattern (SFP) Clusters (primary)888
ParentOfWeakness BaseWeakness Base471Modification of Assumed-Immutable Data (MAID)
Software Fault Pattern (SFP) Clusters (primary)888
ParentOfWeakness BaseWeakness Base472External Control of Assumed-Immutable Web Parameter
Software Fault Pattern (SFP) Clusters (primary)888
ParentOfWeakness VariantWeakness Variant473PHP External Variable Modification
Software Fault Pattern (SFP) Clusters (primary)888
ParentOfWeakness BaseWeakness Base494Download of Code Without Integrity Check
Software Fault Pattern (SFP) Clusters (primary)888
ParentOfWeakness VariantWeakness Variant496Public Data Assigned to Private Array-Typed Field
Software Fault Pattern (SFP) Clusters (primary)888
ParentOfWeakness VariantWeakness Variant502Deserialization of Untrusted Data
Software Fault Pattern (SFP) Clusters (primary)888
ParentOfWeakness VariantWeakness Variant545Use of Dynamic Class Loading
Software Fault Pattern (SFP) Clusters (primary)888
ParentOfWeakness VariantWeakness Variant553Command Shell in Externally Accessible Directory
Software Fault Pattern (SFP) Clusters (primary)888
ParentOfWeakness VariantWeakness Variant554ASP.NET Misconfiguration: Not Using Input Validation Framework
Software Fault Pattern (SFP) Clusters (primary)888
ParentOfWeakness VariantWeakness Variant564SQL Injection: Hibernate
Software Fault Pattern (SFP) Clusters (primary)888
ParentOfWeakness VariantWeakness Variant566Authorization Bypass Through User-Controlled SQL Primary Key
Software Fault Pattern (SFP) Clusters (primary)888
ParentOfWeakness VariantWeakness Variant601URL Redirection to Untrusted Site ('Open Redirect')
Software Fault Pattern (SFP) Clusters (primary)888
ParentOfWeakness BaseWeakness Base606Unchecked Input for Loop Condition
Software Fault Pattern (SFP) Clusters (primary)888
ParentOfWeakness VariantWeakness Variant611Improper Restriction of XML External Entity Reference ('XXE')
Software Fault Pattern (SFP) Clusters (primary)888
ParentOfWeakness VariantWeakness Variant616Incomplete Identification of Uploaded File Variables (PHP)
Software Fault Pattern (SFP) Clusters (primary)888
ParentOfWeakness BaseWeakness Base619Dangling Database Cursor ('Cursor Injection')
Software Fault Pattern (SFP) Clusters (primary)888
ParentOfWeakness BaseWeakness Base621Variable Extraction Error
Software Fault Pattern (SFP) Clusters (primary)888
ParentOfWeakness VariantWeakness Variant622Improper Validation of Function Hook Arguments
Software Fault Pattern (SFP) Clusters (primary)888
ParentOfWeakness BaseWeakness Base624Executable Regular Expression Error
Software Fault Pattern (SFP) Clusters (primary)888
ParentOfWeakness BaseWeakness Base625Permissive Regular Expression
Software Fault Pattern (SFP) Clusters (primary)888
ParentOfWeakness VariantWeakness Variant626Null Byte Interaction Error (Poison Null Byte)
Software Fault Pattern (SFP) Clusters (primary)888
ParentOfWeakness BaseWeakness Base627Dynamic Variable Evaluation
Software Fault Pattern (SFP) Clusters (primary)888
ParentOfWeakness BaseWeakness Base641Improper Restriction of Names for Files and Other Resources
Software Fault Pattern (SFP) Clusters (primary)888
ParentOfWeakness BaseWeakness Base643Improper Neutralization of Data within XPath Expressions ('XPath Injection')
Software Fault Pattern (SFP) Clusters (primary)888
ParentOfWeakness VariantWeakness Variant644Improper Neutralization of HTTP Headers for Scripting Syntax
Software Fault Pattern (SFP) Clusters (primary)888
ParentOfWeakness VariantWeakness Variant646Reliance on File Name or Extension of Externally-Supplied File
Software Fault Pattern (SFP) Clusters (primary)888
ParentOfWeakness BaseWeakness Base652Improper Neutralization of Data within XQuery Expressions ('XQuery Injection')
Software Fault Pattern (SFP) Clusters (primary)888
ParentOfWeakness ClassWeakness Class673External Influence of Sphere Definition
Software Fault Pattern (SFP) Clusters (primary)888
ParentOfWeakness ClassWeakness Class707Improper Enforcement of Message or Data Structure
Software Fault Pattern (SFP) Clusters (primary)888
MemberOfViewView888Software Fault Pattern (SFP) Clusters
Software Fault Pattern (SFP) Clusters (primary)888
+ Content History
Submissions
Submission DateSubmitterOrganizationSource
2012-03-22Internal CWE Team
Page Last Updated: June 23, 2014